Companies are weighing security vs convenience for the users vs support costs. They do know they could be more secure but the goal is not max security but rather some kind of balance between the three mentioned above. And sometimes it is in fact just sheer incompetence.
Trouble is, most people do not know what to do with a physical second factor. They don't know you need more than one and that you need to keep one offsite. They don't understand the way to make second factor work well is to deny ability to recover your access without it with all the nasty consequences of it.
For a company that provides service to the customers, this is nightmare. Unhappy customers, high support costs of trying to somehow securely give the access back to people who lost their tokens.
I think much easier solution is to go to your mobile carrier and get arrangement where they require you to go through special hoops to get the sim card if you loose it or to port the number (which is what I did).
Also if you really care about security, put that number on a separate phone where you absolutely don't install any extra software. And do not use this phone for normal communication, do not put it in any contacts, try to avoid associating it with your name. This phone becomes your second factor so you might just as well get something cheap and small.
Trouble is, most people do not know what to do with a physical second factor. They don't know you need more than one and that you need to keep one offsite. They don't understand the way to make second factor work well is to deny ability to recover your access without it with all the nasty consequences of it.
For a company that provides service to the customers, this is nightmare. Unhappy customers, high support costs of trying to somehow securely give the access back to people who lost their tokens.
I think much easier solution is to go to your mobile carrier and get arrangement where they require you to go through special hoops to get the sim card if you loose it or to port the number (which is what I did).
Also if you really care about security, put that number on a separate phone where you absolutely don't install any extra software. And do not use this phone for normal communication, do not put it in any contacts, try to avoid associating it with your name. This phone becomes your second factor so you might just as well get something cheap and small.